Cisco Systems 78-16019-02 manual Configuring TACACS+, Configuring Traffic Filters and Firewalls

Chapter 3 Initial Configuration

Configuring Security Features

Configuring TACACS+

To configure your router to support TACACS+, perform the following tasks:

Step 1 Use the aaa new-modelglobal configuration command to enable AAA. AAA must be configured if you plan to use TACACS+. Refer to the “AAA Overview” chapter in the Cisco IOS Security Configuration Guide.

Step 2 Use the tacacs-server host command to specify the IP address of one or more TACACS+ daemons. Use the tacacs-server key command to specify an encryption key that is used to encrypt all exchanges between the network access server and the TACACS+ daemon. This same key must also be configured on the TACACS+ daemon.

Step 3 Use the aaa authentication global configuration command to define method lists that use TACACS+ for authentication. Refer to the “ Configuring Authentication” chapter in the Cisco IOS Security Configuration Guide.

Step 4 Use line and interface commands to apply the defined method lists to various interfaces. Refer to the

“Configuring Authentication” chapter in the Cisco IOS Security Configuration Guide.

Step 5 If needed, use the aaa authorization global command to configure authorization for the network access server. Unlike authentication, which can be configured per line or per interface, authorization is configured globally for the entire network access server. Refer to the “ Configuring Authorization” chapter in the Cisco IOS Security Configuration Guide.

Step 6 If needed, use the aaa accounting command to enable accounting for TACACS+ connections. Refer to the “ Configuring Accounting” chapter in the Cisco IOS Security Configuration Guide.

Refer to the “Configuring TACACS+” chapter in the Cisco IOS Security Configuration Guide.

Configuring Traffic Filters and Firewalls

The Cisco ONS 15530 supports the traffic filter and firewall features provided by Cisco IOS.

Traffic filters provide basic traffic filtering capabilities with access control lists (also referred to as access lists). Access lists can be configured for all routed network protocols (IP, AppleTalk, and so on) to filter the packets of those protocols as the packets pass through a system. You can configure access lists on your Cisco ONS 15530 to control access to a network, preventing certain traffic from entering or exiting a network.

Firewalls are networking devices that control access to your organization's network assets. You can position firewalls to control access at the entrance points into your network. or to control access to a specific part of your network

Refer to the “Traffic Filtering and Firewalls” part in the Cisco IOS Security Configuration Guide.

Configuring Passwords and Privileges

Using passwords and assigning privilege levels is a simple way of providing terminal access control in your network. You can configure up to 16 different privilege levels and assign each level to a password. For each privilege level you define a subset of Cisco IOS commands that can be executed. You can use these different levels to allow some users the ability to execute all Cisco IOS commands, and to restrict other users to a defined subset of commands.